Oddbean new post about login | logout Adding the client tag does not really change the security or privacy too much. IMO Almost all clients have a distinct way they construct events (order of tags, supporting hashtags, mention tagging, etc) so it wouldn't be to difficult to fingerprint events and guess what client constructed them. We kind of already do this in the nostrability repo when trying to figure out what client created bad or incompatible events I made it opt-out because it wouldn't be very effective if every user had to go digging in the settings to turn it on. and as I said above it does not change much for privacy
Although it could also be a "accept cookies" like thing. so when the user first loads the app it asks them if they want to tell other users they are using it... 🤔
I think it's a setting in Coracle, if I remember correctly.
yeah it has been a setting, opt in, for a long time in #coracle it should be opt in also as nostr:nprofile1qythwumn8ghj7un9d3shjtnwdaehgu3wvfskuep0qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uq3wamnwvaz7tmjv4kxz7fwwpexjmtpdshxuet59uqsuamnwvaz7tmwdaejumr0dshszymhwden5te0wp6hyurvv4cxzeewv4ej7qgewaehxw309aex2mrp0yh8xmn0wf6zuum0vd5kzmp0qy2hwumn8ghj7mn0wd68ytn00p68ytnyv4mz7qpqqdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havqwss8ym points out, client devs need to do more to make their event constructions more uniform there is also security concerns related to this especially when clients get DMs working properly and exploits start appearing for snarfing metadata from relay users (actual seen times of events, user activity periods and timezone estimation etc) anyhow, i can understand the hostility towards opt-out telemetry, the number of times i see this in server apps being targeted at devs it's getting quite alarming how normalized this spy shit is becoming just say no to spyware!
I don't think it's anyones business what client I used to create notes. If I want to advertise your client I should be able to turn it on. On by default is a big no from me, sorry. Anything my client appends to my notes without my permission is too much imo. Tags are generally not user-facing. To be clear, I have been very against this for a really long time, but I'm a nostr nobody. I've had it on the roadmap for my signer since the spec introduced it. https://github.com/VnUgE/NVault?tab=readme-ov-file#extension
This is the thing. It's additional info in the events. Don't know if a normie user would understand that. And what about niche clients for a subset of users tagging the events? Very easy to track them.
I mean... There may be some.... interesting clients, eventually.
If you go from client to client, it's similar to a browsing history.
Sure I could see you swapping from desktop to mobile and so on
Or from some furry dating client to the interracial porn client to the Mormon homemaking client. LOL I mean, okay, obviously switch npubs, but still.
I think any client that injects non-critical tags into events by DEFAULT is wrong. Build a better UX that enables users to understand their purpose. I will continue to build tools that enable hard-core users to strip these tags before signing. Client's can break this if they want, but I hope they choose to accept the signed result as authoritative.
Agreed. I prefer relying on things that are very obviously public (zaps, replies, shares, ...) for discovery/recommendations.